Synopsis
Description
The bare capy command is the main sync loop. It authenticates you (if needed), pulls the latest encrypted secrets from the service, diffs them against your local .env, and writes any changes back. On first run in a project, it interactively initializes the project - picking an org, creating a project, encrypting your existing .env, and writing keep.lock.
See Syncing secrets for the full flow.
Options
| Flag | Description |
|---|
--env-path <path> | Use a custom .env file location instead of the project root. |
-v, --verbose | Enable detailed logging. Useful when debugging sync issues. |
-f, --force | Re-encrypt existing variables even if they appear unchanged. |
-d, --dry-run | Preview the sync without applying any changes. |
Examples
# Sync secrets in the current project
capy
# Use a different .env file
capy --env-path config/.env.local
# Preview what a sync would do
capy --dry-run
# Force re-encryption of every variable
capy --force
First-run behavior
On first run (no keep.lock in the project), Capy:
- Authenticates you in the browser.
- Prompts for an organization (or creates one, which generates a seed phrase).
- Prompts for a project (or creates one).
- Creates a
development branch.
- Encrypts every value in your
.env and uploads the ciphertext.
- Rewrites
.env with capy:… snippets and gitignores it.
- Writes a commented-out copy of your original
.env to .env.pre-capy.old (gitignored).
- Installs
post-checkout and post-merge git hooks, which run capy status after branch switches and merges.
- Commits only
keep.lock to git (a small versioning manifest with no keys or plaintext).
Last modified on May 20, 2026